Splunk® Enterprise

Installation Manual

Download manual as PDF

Install the universal forwarder on AIX

Important: Splunk does not offer an installation package for Splunk Enterprise version 6.3.0 or later on AIX. It does, however, offer a universal forwarder installation package for AIX versions 6.1 and 7.1. These instructions detail how to install the universal forwarder on those versions of AIX.

To use Splunk Enterprise on AIX, you must download an older version of the Splunk software.


The user that you install the universal forwarder as must have permission to read /dev/random and /dev/urandom or the installation will fail.

Basic install

The AIX universal forwarder installer comes in tar file form. There is no current version of Splunk Enterprise available for AIX.

When you install with the tar file:

  • Splunk Enterprise does not create the splunk user automatically. If you want Splunk Enterprise to run as a specific user, you must create the user manually.
  • Be sure the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.
  • We recommend you use GNU tar to unpack the tar files, as AIX tar can fail to unpack long file names, fail to overwrite files, and other problems. If you must use the system tar, be sure to check the output for error messages.

To install the universal forwarder on an AIX system, expand the tar file into an appropriate directory. The default install directory is /opt/splunkforwarder.

Start the universal forwarder

The universal forwarder can run as any user on the local system. If you run it as a non-root user, make sure that it has the appropriate permissions to read the inputs that you specify. Refer to the instructions for running the forwarder as a non-root user for more information.

To start the forwarder from the command line interface, run the following command from $SPLUNK_HOME/bin directory (where $SPLUNK_HOME is the directory into which you installed the forwarder):

 ./splunk start

By convention, this document uses:

  • $SPLUNK_HOME to identify the path to the universal forwarder installation.
  • $SPLUNK_HOME/bin/ to indicate the location of the command line interface.

Enable automatic starting of the universal forwarder at boot time

The AIX version of the universal forwarder does not register itself to auto-start on reboot. However, you can do so by running the following command from the $SPLUNK_HOME/bin directory at a prompt:

./splunk enable boot-start

This command invokes the following system commands to register Splunk Enterprise and Splunk Web in the System Resource Controller (SRC):

mkssys -G splunk -s splunkd -p <path to splunkd> -u <splunk user> -a _internal_exec_splunkd -S -n 2 -f 9

When you enable automatic boot start, the SRC handles the run state of the forwarder. This means that you must use a different command to start and stop Splunk Enterprise manually:

  • /usr/bin/startsrc -s splunkd to start the universal forwarder.
  • /usr/bin/stopsrc -s splunkd to stop the universal forwarder.

If you attempt to start and stop the forwarder using the ./splunk [start|stop] method from the $SPLUNK_HOME directory, the SRC catches the attempt and the forwarder displays the following message:

Splunk boot-start is enabled. Please use /usr/bin/[startsrc|stopsrc] -s splunkd to [start|stop] Splunk.

To prevent this message from occurring and restore the ability to start and stop Splunk Enterprise from the $SPLUNK_HOME directory, disable boot start:

./splunk disable boot-start

Startup options

The first time you start the universal forwarder after a new installation, you must accept the license agreement. To start the forwarder and accept the license in one step:

 $SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option.

For more information, refer to "Splunk Enterprise startup options" in this manual.

Install the universal forwarder on FreeBSD
Install the universal forwarder on HP-UX

This documentation applies to the following versions of Splunk: 6.3.0, 6.3.1 View the Article History for its revisions.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole
Feedback you enter here will be delivered to the documentation team

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters